Internal audit leaders may feel like their departments are being stretched thin these days—well, even thinner than usual.
New research suggest that internal audit budgets have been cut at many companies, even as the function is facing an expanded workload. The pandemic has exposed new and heightened risks that need audit oversight, but budgets have not increased to provide additional resources to complete the expanded workload. Now a handful of surveys and reports are confirming these concerns.
One such survey, by Gartner Inc. of 299 internal audit organizations, showed that the function faced both declining budgets and a significantly expanded workload in 2020. According to the study, internal audit departments experienced an average decline in budgets of 1.5 percent in 2020, after enjoying increases of roughly 5 percent from 2017 to 2019. The research and advisory company predicts internal audit budgets will remain flat in 2021. Gartner also found that there was no growth in headcount for internal audit shops in 2020 and expects that to continue through this year.
Another recent study also found that budgets at many internal audit functions declined in the past year. According to the 2021 North American Pulse of Internal Audit study, conducted by the Institute of Internal Auditors, more internal audit leaders reported cuts to budgets (36 percent) compared to those who said they experienced a budget increase (20 percent). It was the first time since 2009 that more chief audit executive respondents reported budget cuts than those reporting increases, ending 10 years of internal audit budgets generally rising.
“It doesn’t look like there will be a way to buy more capacity for most internal audit functions in 2021,” said Margaret Moore Porter, managing vice president in the Gartner Audit practice. “Leaders will have to be creative and find ways to get more out of the resources they have.”
Work Piling Up
Meanwhile the workload for many internal audit shops is only increasing, partly due to new and heightened risks exposed by the pandemic. Cybersecurity and IT risks are two areas identified by the Gartner survey where internal audit functions planned to spend more time this year than in the past. Other areas where internal audit leaders say they are devoting more hours are third-party risks, “unanticipated risk events,” and the risk of fraud occurring at their organizations.
“For many heads of audit, it’s not clear where the extra capacity is going to come from,” said Porter. “It’s clear the pandemic has created and heightened risks that need audit oversight, but there is a real danger of the function being overwhelmed unless leaders can find ways to increase capacity without increasing budgets.”
Cybersecurity risks have increased as employees have moved to remote work on their home networks which are largely less secure than those at corporate offices and branches. Emboldened attackers, perhaps realizing the vulnerability, have stepped up phishing and ransomware attacks. According to Forbes, 2020 broke all records in terms of data lost in breaches and sheer numbers of cyber-attacks on companies, government, and individuals.
Fraud risks have also become elevated during the pandemic. Financial and emotional distress have increased due to the virus. And with workers at home, there may be less oversight on their activities. “Anyone with the slightest understanding of fraud is familiar with the concept of the fraud triangle, which identifies pressure, opportunity, and rationalization as the key ingredients,” said Richard Chambers, president and CEO of the IIA last summer, when the IIA released a report on the topic. “The pandemic is fueling the first—pressure—in myriad ways, as its impact on economies threatens the financial well-being of millions of organizations and billions of workers globally,” he said.
Uncertainty Reigns
Uncertainty itself may not be a specific risk, but it certainly makes risk assessments more difficult. In fact, survey results released by software platform AuditBoard, find that the risk landscape will remain greatly amorphous this year rather than returning to more stable pre-pandemic conditions, even if communities begin to bring the pandemic under control.
The findings come from a series of surveys conducted at AuditBoard’s recent Audit & Beyond virtual conference, which was attended by more than 5,000 audit, risk, and compliance practitioners last October. The responses illustrate the long-term changes audit and risk professionals will experience in their roles as a result of the pandemic, and how crucial those individuals will be in helping organizations overcome risk challenges despite gaps in enterprise risk management (ERM) programs.
“Conditions this year have changed drastically due to the pandemic, and audit, risk, and compliance organizations have had to act quickly to adapt to the dynamic risk environment while maintaining operational continuity,” said John Reese, senior vice president of marketing at AuditBoard. “AuditBoard survey responses overwhelmingly showcase how quickly the workplace mindset is shifting, and how important modern audit, risk, and compliance technology has become to support a more remote and connected future.”
Sharing the Burden
So how can internal audit cope with the difficulties of facing more work in an environment of shrinking budgets? Many are looking to partner or share resources with other functions in the organization. According to the Gartner survey, 66 percent of audit departments are in active discussions with other risk and control groups in their organizations on how they can better share resources, notably support for risk assessment and data analytics.
Many audit departments are also looking to better align and rely on risk coverage from the second line, such as the compliance department, to reduce duplication and improve efficiency. Given regulatory scrutiny, that approach is less prevalent in financial services and banking audit departments, where 47 percent do not rely on the second line to provide assurance compared to 35 percent at organizations outside of financial services.
“At the moment this is very far from being a balanced equation,” said Porter. “The obvious implication, if the picture doesn’t become more balanced, is that audit leaders will have to make tough coverage trade-off decisions.”
Performing that balancing act and making those tough decisions are actions that internal audit leaders know all too well.
Joseph McCafferty is Editor & Publisher of Internal Audit 360°.
Good and sobering article 🙂
Re the last section on Sharing the Burden. I think it is not as easy to do/appreciate as the 3LOD dictates that internal audit must be separate from the 2nd and 1st lines. So sharing of resources and initiatives gives the perception of too much involvement that internal audit would have in the other lines of defence. Thoughts?